Teleport Configuration
Teleport uses the YAML file format for configuration. A full configuration
reference file is shown below. This provides comments and all available options
for teleport.yaml
.
By default, Teleport reads its configuration from /etc/teleport.yaml
.
Before using this reference
Do not use this example configuration in production.
You must edit your configuration file to meet the needs of your environment. Using a copy of the reference configuration will have unintended effects. To create a configuration file that you can use as a starting point, run the following command:
teleport configure -o file
There are also configure
commands available for the SSH Service and Database
Service. See our documentation on teleport node configure
and teleport db configure
in the Teleport CLI Reference.
You should back up your configuration file before making changes. This will enable you to roll back to the previous configuration if you need to.
Enabling Teleport services
The teleport
process can run multiple services.
For some services, you must enable the service within your Teleport configuration in order to start it. Other services are enabled by default.
To enable or disable a service, include the following in your Teleport
configuration, replacing service_name
with the name of your service (service
names are listed below):
service_name:
enabled: "no"
Teleport supports the following services:
Service | Configuration section | Enabled by default |
---|---|---|
Application Service | app_service | ❌ |
Auth Service | auth_service | ✅ |
Database Service | db_service | ❌ |
Discovery Service | discovery_service | ❌ |
Kubernetes Service | kubernetes_service | ❌ |
Proxy Service | proxy_service | ✅ |
SSH Service | ssh_service | ✅ |
Desktop Service | windows_desktop_service | ❌ |
Jamf Service | jamf_service | ❌ |
Teleport Cloud manages the Auth Service and Proxy Service for you. Instances of Teleport services (e.g., the Application Service and Database Service) should include the following configuration options to avoid unintended effects:
auth_service:
enabled: false
proxy_service:
enabled: false
Reference configurations
These example configurations include all possible configuration options in YAML format to demonstrate proper use of indentation.
Choose a Teleport service to view the application configuration options:
Instance-wide settings
These settings apply to any teleport
instance:
# By default, this file should be stored in /etc/teleport.yaml
# Configuration file version. The current version is "v3".
version: v3
# This section of the configuration file applies to all teleport
# services.
teleport:
# nodename allows one to assign an alternative name this node can be
# reached by. By default it's equal to hostname.
nodename: graviton
# Data directory where Teleport daemon keeps its data.
data_dir: /var/lib/teleport
# PID file for Teleport process
#pid_file: /var/run/teleport.pid
# The invitation token or an absolute path to a file containing the token used
# to join a cluster. It is not used on subsequent starts.
# If using a file, it only needs to exist when teleport is first ran.
#
# File path example:
# auth_token: /var/lib/teleport/tokenjoin
#
# This is the same as setting join_params.method to "token", and join_params.token_name
# to the value of auth_token.
# You should only use either auth_token or join_params.
auth_token: xxxx-token-xxxx
# join_params are parameters to set when joining a cluster via
# EC2, IAM or a token.
join_params:
# When `method` is set to "token", it is the equivalent to using `auth_token` above.
# You should only use either auth_token or join_params.
method: "token"|"ec2"|"iam"|"github"|"circleci"|"kubernetes"
# If method is not "token", token_name will be will be the name of
# the joining token resource, e.g., "ec2-token" or "iam-token" as created
# in the Joining Nodes via EC2 or IAM guides.
# If method is "token", token_name will be the invitation token
# or an absolute path to a file containing the token used to join a cluster.
# It is not used on subsequent starts.
# If using a file, it only needs to exist when teleport is first ran.
#
# File path example:
# token_name: /var/lib/teleport/tokenjoin
token_name: "token-name"
# Optional CA pin of the Auth Service. Specifying a CA pin enables new
# agents to trust a Teleport cluster when joining via the Auth Service
# directly. You can assign the ca_pin field to the literal value of the CA
# pin or an absolute path to a file. If you specify a file, the file should
# only contain the CA pin.
#
# You can also specify the value of the ca_pin key as a YAML list of CA pins
# or file paths, e.g.:
#
# ca_pin:
# - /var/lib/teleport/pin1
# - /var/lib/teleport/pin2
ca_pin:
"sha256:7e12c17c20d9cb504bbcb3f0236be3f446861f1396dcbb44425fe28ec1c108f1"
# When running in multi-homed or NATed environments Teleport Nodes need
# to know which IP it will be reachable at by other Nodes.
#
# This value can be specified as FQDN e.g. host.example.com
advertise_ip: 10.1.0.5
# Teleport provides HTTP endpoints for monitoring purposes. They are
# disabled by default but you can enable them using the diagnosis address.
diag_addr: "127.0.0.1:3000"
# Only use one of auth_server or proxy_server.
#
# When you have either the application service or database service enabled,
# only tunneling through the proxy is supported, so you should specify proxy_server.
# All other services support both tunneling through the proxy and directly connecting
# to the auth server, so you can specify either auth_server or proxy_server.
# Auth Server address and port to connect to. If you enable the Teleport
# Auth Server to run in High Availability configuration, the address should
# point to a Load Balancer.
# If adding a node located behind NAT, use the Proxy URL (e.g. teleport-proxy.example.com:443)
# and set `proxy_server` instead.
auth_server: 10.1.0.5:3025
# Proxy Server address and port to connect to. If you enable the Teleport
# Proxy Server to run in High Availability configuration, the address should
# point to a Load Balancer.
proxy_server: teleport-proxy.example.com:443
# cache:
# # The cache is enabled by default, it can be disabled with this flag
# enabled: true
# Teleport can limit the number of connections coming from each client
# IP address to avoid abuse. Note that these limits are enforced separately
# for each service (SSH, Kubernetes, etc.)
connection_limits:
max_connections: 1000
# Logging configuration. Possible output values to disk via
# '/var/lib/teleport/teleport.log',
# 'stdout', 'stderr' and 'syslog'. Possible severity values are DEBUG, INFO (default), WARN,
# and ERROR.
log:
output: /var/lib/teleport/teleport.log
severity: INFO
# Log format configuration
# Possible output values are 'json' and 'text' (default).
# Possible extra_fields values include: timestamp, component, caller,
# and level.
# All extra fields are included by default.
format:
output: text
extra_fields: [level, timestamp, component, caller]
Further reading:
- Joining Services to a
Cluster:
Available join methods to help you configure
join_params
. - Using a CA
Pin:
When to assign a value to
ca_pin
. - Teleport Metrics Reference: Data to collect using
diag_addr
.
Proxy Service
These settings apply to the Teleport Proxy Service:
Teleport Enterprise Cloud manages the Proxy Service for you, so you do not need to specify these configuration settings.
# This section configures the 'proxy service'
proxy_service:
# Turns 'proxy' role on. Default is 'yes'
enabled: yes
# proxy_protocol controls support for HAProxy PROXY protocol.
# Unspecified by default, possible values:
# 'on' - PROXY protocol is enabled and required.
# 'off' - PROXY protocol is disabled and forbidden.
#
# If unspecified, PROXY protocol is allowed, but not required. This is
# suitable for test environments, but not recommended for production use.
# Teleport's IP pinning functionality will not work if this field is left
# unspecified and PROXY headers are received.
# Set to `on` if Proxy service runs behind a L4 load balancer that sends PROXY
# headers, otherwise set to `off`.
proxy_protocol: on
# SSH forwarding/proxy address. Command line (CLI) clients always begin
# their SSH sessions by connecting to this port
#
# If not set, behavior depends on the config file version:
#
# v2 and above: listener is not created, SSH is multiplexed on web_listen_addr
# v1: defaults to 0.0.0.0:3023
listen_addr: 0.0.0.0:3023
# Reverse tunnel listening address. An auth server (CA) can establish an
# outbound (from behind the firewall) connection to this address.
# This will allow users of the outside CA to connect to
# behind-the-firewall nodes.
#
# If not set, behavior depends on the config file version:
#
# v2 and above: listener is not created, reverse tunnel traffic is multiplexed on web_listen_addr
# v1: defaults to 0.0.0.0:3024
tunnel_listen_addr: 0.0.0.0:3024
# Proxy Peering listening address. Teleport Proxy Services will bind to this address
# to listen for incoming connections from dialing agents in Proxy Peering mode.
peer_listen_addr: 0.0.0.0:3021
# Proxy Peering public address. Teleport Proxy Services will advertise this address
# for dialing agents in Proxy Peering mode.
# NOTE: This address should be unique to each proxy and should not point to a load balancer.
# Using a load balancer address here will lead to unpredictable results and connection delays.
peer_public_addr: teleport-proxy-host-1.example.com:3021
# The HTTPS listen address to serve the Web UI and authenticate users.
# Handles the PostgreSQL proxy if the Database Service is enabled.
web_listen_addr: 0.0.0.0:3080
# The DNS name of the proxy HTTPS endpoint as accessible by cluster users.
# Defaults to the proxy's hostname if not specified. If running multiple
# proxies behind a load balancer, this name must point to the load balancer
# If application access is enabled, public_addr is used to write correct
# redirects
# If database access is enabled, Database clients will connect to the Proxy
# over this hostname
public_addr: proxy.example.com:3080
# The DNS name of the proxy SSH endpoint as accessible by cluster clients.
# Defaults to the proxy's hostname if not specified. If running multiple
# proxies behind a load balancer, this name must point to the load
# balancer.
# Use a TCP load balancer because this port uses SSH protocol.
ssh_public_addr: proxy.example.com:3023
# The DNS name of the tunnel SSH endpoint as accessible by trusted clusters
# and nodes joining the cluster via Teleport IoT/node tunneling.
# Defaults to the proxy's hostname if not specified. If running multiple
# proxies behind a load balancer, this name must point to the load
# balancer. Use a TCP load balancer because this port uses SSH protocol.
tunnel_public_addr: proxy.example.com:3024
# TLS certificate for the HTTPS connection. Configuring these properly is
# critical for Teleport security.
https_keypairs:
- key_file: /var/lib/teleport/webproxy_key.pem
cert_file: /var/lib/teleport/webproxy_cert.pem
- key_file: /etc/letsencrypt/live/*.teleport.example.com/privkey.pem
cert_file: /etc/letsencrypt/live/*.teleport.example.com/fullchain.pem
# Interval between attempts to reload the certificate key pairs.
# If one of the key pairs fails to load, then no key pair is reloaded.
# If set to 0 (the default), then periodic reloading is disabled.
# To use this feature correctly, certificate files should be updated atomically.
https_keypairs_reload_interval: 1h
# Kubernetes proxy listen address.
#
# If not set, behavior depends on the config file version:
#
# v2 and above: listener is not created, Kubernetes traffic is multiplexed on web_listen_addr
# v1: defaults to 0.0.0.0:3026
kube_listen_addr: 0.0.0.0:3026
# optional: set a different public address for kubernetes access
kube_public_addr: kube.example.com:3026
# MySQL proxy listen address.
#
# If not set, behavior depends on the config file version:
#
# v2 and above: listener is not created, MySQL traffic is multiplexed on web_listen_addr
# v1: defaults to 0.0.0.0:3036
mysql_listen_addr: "0.0.0.0:3036"
# Postgres Proxy listener address. If provided, proxy will use a separate
# listener
# instead of multiplexing Postgres protocol on web_listener_addr.
# postgres_listen_addr: "0.0.0.0:5432"
# Mongo Proxy listener address. If provided, proxy will use a separate
# listener instead of multiplexing Mongo protocol on web_listener_addr.
# mongo_listen_addr: "0.0.0.0:27017"
# Address advertised to MySQL clients. If not set, public_addr is used.
mysql_public_addr: "mysql.teleport.example.com:3306"
# Address advertised to PostgreSQL clients. If not set, public_addr is
# used.
postgres_public_addr: "postgres.teleport.example.com:443"
# Address advertised to Mongo clients. If not set, public_addr is used.
mongo_public_addr: "mongo.teleport.example.com:443"
# Get an automatic certificate from Letsencrypt.org using ACME via
# TLS_ALPN-01 challenge.
# When using ACME, the 'proxy_service' must be publicly accessible over
# port 443.
# Also set using the CLI command:
# 'teleport configure --acme --acme-email=email@example.com \
# --cluster-name=tele.example.com -o file'
# This should NOT be enabled in a highly available Teleport deployment
# Using in HA can lead to too many failed authorizations and a lock-up
# of the ACME process (https://letsencrypt.org/docs/failed-validation-limit/)
#acme:
# enabled: yes
# email: user@example.com
# Identity provider configuration. Provides detailed configuration for
# Teleport's identity providers. At present, only SAML is supported.
idp:
# SAML identity provider configuration.
saml:
# Turns the SAML identity provider on. Defaults is 'yes'.
enabled: yes
# Configuration options for the Web UI served by the Proxy Service.
ui:
# The amount of scrollback in the terminal. Scrollback is the amount of
# rows that are retained when lines are scrolled beyond the initial
# viewport. Does not apply to session recording view.
scrollback_lines: 1000
# Which resources should be shown in the web UI resources page; resources the user
# has access to, and resources the user can request access to. By default, both types
# are included. If you wish for users to only see resources they have access to, set
# this to "accessible_only".
show_resources: 'requestable'
# Enables the Proxy service to take client source IPs from the
# "X-Forwarded-For" headers for web APIs.
#
# In order to prevent IP spoofing, it is important to ensure that the Proxy
# service is placed behind a layer 7 load balancer or reverse proxy that
# sets client IPs in the "X-Forwarded-For" headers. Requests with more than
# one IPs will be rejected.
trust_x_forwarded_for: false
# Configuration for the built-in version server for agent automatic updates.
# If you leave this configuration unset, a default channel is created and
# serves the Teleport version run by the Proxy Service.
automatic_upgrades_channels:
# Override the default version channel
default:
static_version: v14.2.1
# Define a new version channel with a static version
additional/channel/static:
static_version: v14.2.0
critical: true
# Define a new version channel forwarding requests to an upstream version server
additional/channel/remote:
forward_url: https://updates.releases.teleport.dev/v1/stable/cloud
Auth Service
These settings apply to the Teleport Auth Service:
Teleport Enterprise Cloud manages the Auth Service for you, so you do not need to specify these configuration settings.
teleport:
# Configuration for the storage back-end used for the cluster state and the
# audit log. Several back-end types are supported.
storage:
# By default teleport uses a SQLite database in the `data_dir`
# directory on a local filesystem
type: sqlite
# List of locations where the audit log events will be stored. By
# default, they are stored in `/var/lib/teleport/log`.
#
# When specifying multiple destinations like this, make sure that
# highly-available storage methods (like DynamoDB or Firestore) are
# specified first, as this is what the Teleport Web UI uses as its
# source of events to display.
audit_events_uri:
- 'dynamodb://events_table_name'
- 'firestore://events_table_name'
- 'postgresql://user_name@database-address/events_table_name'
- 'file:///var/lib/teleport/log'
- 'stdout://'
# Use this setting to configure teleport to store the recorded sessions
# in an AWS S3 bucket or use GCP Storage with 'gs://'.
audit_sessions_uri: 's3://example.com/path/to/bucket?region=us-east-1'
# SQLite-specific section:
# The default path is the `backend` directory in the `data_dir`
path: /var/lib/teleport/backend/
# SQLite's `synchronous` pragma, can be set to `"OFF"` for improved
# write performance in exchange for reliability against system crashes
# (see https://www.sqlite.org/pragma.html#pragma_synchronous).
sync: FULL
# SQLite's `journal_mode` pragma, by default it doesn't change the mode from
# the SQLite default (DELETE unless the database file is using WAL mode).
# For improved performance without sacrificing reliability it's possible to
# set `journal` to `WAL` and `sync` to `NORMAL`, but only when using a filesystem
# that supports locks (see https://www.sqlite.org/pragma.html#pragma_journal_mode).
#journal: DELETE
# DynamoDB-specific section:
# continuous_backups is used to enable continuous backups.
# default: false
continuous_backups: true
# auto_scaling is used to enable (and define settings for) auto
# scaling.
# default: false
auto_scaling: true
# By default, Teleport stores stores audit events with an AWS TTL of 1 year.
# This value can be configured as shown below. If set to 0 seconds, TTL is disabled.
#
# NOTE: Only the DynamoDB events backend respects the retention_period. All other event backends
# consume the retention period via a query parameter in the audit_events_uri. See the examples below
# for how to configure the retention period for other backends.
# Firestore: firestore://events_table_name?eventRetentionPeriod=10d
# Postgres: postgresql://user_name@database-address/teleport_audit#retention_period=240h
retention_period: 365d
# minimum/maximum read capacity in units
read_min_capacity: int
read_max_capacity: int
read_target_value: float
# minimum/maximum write capacity in units
write_min_capacity: int
write_max_capacity: int
write_target_value: float
# Default cipher algorithms for SSH. This section only needs to be set if
# you want to override the defaults.
ciphers:
- aes128-ctr
- aes192-ctr
- aes256-ctr
- aes128-gcm@openssh.com
- aes256-gcm@openssh.com
- chacha20-poly1305@openssh.com
# Default key exchange algorithms (KEX) for SSH. This section only needs to
# be set if you want to override the defaults.
kex_algos:
- curve25519-sha256
- curve25519-sha256@libssh.org
- ecdh-sha2-nistp256
- ecdh-sha2-nistp384
- ecdh-sha2-nistp521
- diffie-hellman-group14-sha256
# Default message authentication code (MAC) algorithms for SSH. This
# section only needs to be set if you want to override the defaults.
mac_algos:
- hmac-sha2-256-etm@openssh.com
- hmac-sha2-512-etm@openssh.com
- hmac-sha2-256
- hmac-sha2-512
# Default ciphersuites for TLS. If this section is not specified, only the
# default ciphersuites are enabled.
ciphersuites:
- tls-ecdhe-rsa-with-aes-128-gcm-sha256
- tls-ecdhe-ecdsa-with-aes-128-gcm-sha256
- tls-ecdhe-rsa-with-aes-256-gcm-sha384
- tls-ecdhe-ecdsa-with-aes-256-gcm-sha384
- tls-ecdhe-rsa-with-chacha20-poly1305
- tls-ecdhe-ecdsa-with-chacha20-poly1305
# This section configures the 'auth service':
auth_service:
# Turns 'auth' role on. Default is 'yes'
enabled: yes
# cluster_name is the name used to initiate a new cluster.
# A cluster name is used as part of a signature in certificates
# generated by this CA.
#
# We strongly recommend explicitly setting it to something meaningful as it
# becomes important when configuring trust between multiple clusters.
#
# By default an automatically generated name is used (not recommended)
#
# IMPORTANT: changes to this field won't have an effect on an already created cluster.
# To change the name of an existing cluster, you can use
# the 'POST /v2/configuration/name' endpoint, but it will invalidate all generated
# certificates and keys (may need to wipe out /var/lib/teleport directory)
cluster_name: "main"
# proxy_protocol controls support for HAProxy PROXY protocol.
# Unspecified by default, possible values:
# 'on' - PROXY protocol is enabled and required.
# 'off' - PROXY protocol is disabled and forbidden.
#
# If unspecified, PROXY protocol is allowed, but not required. This is
# suitable for test environments, but not recommended for production use.
# Teleport's IP pinning functionality will not work if this field is left
# unspecified and PROXY headers are received.
# Set to `on` if Auth service runs behind a L4 load balancer that sends PROXY
# headers, otherwise set to `off`.
proxy_protocol: on
authentication:
# default authentication type. possible values are 'local' and 'github'
# for Teleport Community Edition, plus 'oidc' and 'saml' for Enterprise.
# Only local authentication (Teleport's own user DB) & GitHub is
# supported in the open source version
type: local
# Sets whether local auth is enabled alongside any other authentication
# type. Default is true. local_auth must be 'false' for FedRAMP / FIPS.
#local_auth: true
# Enforce per-session MFA or PIV-hardware key restrictions on user login sessions.
# Possible values: true, false, "hardware_key", "hardware_key_touch".
# Defaults to false.
require_session_mfa: false
# second_factors is the list of allowed second factors for the cluster.
# Possible values: "otp", "webauthn", and "sso". Order does not matter.
# Defaults to ["otp"].
second_factors: ["webauthn", "otp"]
# second_factor can be 'on', 'otp' or 'webauthn'.
# - 'on' requires either otp or webauthn second factor.
# - 'otp' and 'webauthn' require the corresponding second factor.
#
# Prefer setting second_factors instead.
#second_factor: otp
# Sets whether passwordless authentication is allowed.
# Passwordless requires WebAuthn.
# Defaults to "true".
#passwordless: true
# Sets whether headless authentication is allowed.
# Headless authentication requires WebAuthn.
# Defaults to "true".
#headless: true
# Sets the default authentication connector for the cluster:
# - 'local' for local authentication (password, WebAuthn, etc.)
# - 'passwordless' for passwordless authentication
# - 'headless' for headless authentication
# - A specific SSO connector name
# Defaults to "local".
#connector_name: local
# this section is used if second_factor is set to 'on', 'optional' or
# 'webauthn'.
webauthn:
# public domain of the Teleport proxy, *excluding* protocol
# (`https://`) and port number.
#
# IMPORTANT: rp_id must never change in the lifetime of the cluster,
# because it's recorded in the registration data on the second factor
# authenticator. If the rp_id changes, all existing authenticator
# registrations will become invalid and all users who use WebAuthn as
# the second factor will need to re-register.
rp_id: "localhost"
# optional allow list of certificate authorities (as local file paths
# or in-line PEM certificate string) for [device verification](
# https://developers.yubico.com/WebAuthn/WebAuthn_Developer_Guide/Attestation.html).
# This field allows you to restrict which device models and vendors
# you trust.
# Devices outside of the list will be rejected during registration.
# By default all devices are allowed.
# If you must use attestation, consider using
# `attestation_denied_cas` to forbid troublesome devices instead.
attestation_allowed_cas:
- /path/to/allowed_ca.pem
- |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
# optional deny list of certificate authorities (as local file paths
# or in-line PEM certificate string) for [device verification](
# https://developers.yubico.com/WebAuthn/WebAuthn_Developer_Guide/Attestation.html).
# This field allows you to forbid specific device models and vendors,
# while allowing all others (provided they clear
# `attestation_allowed_cas` as well).
# Devices within this list will be rejected during registration. By
# default no devices are forbidden.
attestation_denied_cas:
- /path/to/denied_ca.pem
- |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
# if set to true, disables WebAuthn. Allows a fallback to U2F for
# second factor modes 'on' and 'optional'.
disabled: false
# the U2F section is kept for legacy purposes and to support existing
# U2F registrations.
u2f:
# app ID used by U2F registrations.
# Keep it in your config to avoid having to re-register U2F devices.
app_id: https://localhost:3080
# Locking mode determines how to apply lock views locally available to
# a Teleport component; can be strict or best_effort.
locking_mode: best_effort
# Device Trust configures Teleport's behavior in regards to trusted
# devices.
# Device Trust is a Teleport Enterprise feature.
device_trust:
# 'mode' is the cluster-wide device trust mode.
# The following values are supported:
# - 'off' - disables device trust. Device authentication is not
# performed and device-aware audit logs are absent.
# - 'optional' - enables device authentication and device-aware audit,
# but doesn't require a trusted device to access resources.
# - 'required' - enables device authentication and device-aware audit.
# Additionally, it requires a trusted device for all SSH, Database
# and Kubernetes connections.
mode: optional # always "off" for Teleport Community Edition
# Determines the default time to live for user certificates
# issued by this auth server, defaults to 12 hours. Examples:
# "14h30m", "1h" etc.
default_session_ttl: 12h
# IP and the port to bind to. Other Teleport Nodes will be connecting to
# this port (AKA "Auth API" or "Cluster API") to validate client
# certificates
listen_addr: 0.0.0.0:3025
# The optional DNS name for the auth server if located behind a load
# balancer.
public_addr: auth.example.com:3025
# Pre-defined tokens for adding new nodes to a cluster. Each token specifies
# the role a new node will be allowed to assume. The more secure way to
# add nodes is to use `tctl nodes add --ttl` command to generate auto-expiring
# tokens.
#
# We recommend to use tools like `pwgen` to generate sufficiently random
# tokens of 32+ byte length.
tokens:
- "proxy,node:xxxxx"
- "auth:yyyy"
# Optional setting for configuring session recording. Possible values are:
# "node" : (default) sessions will be recorded on the node
# and periodically cleaned up after they are uploaded
# to the storage service.
# "node-sync" : session recordings will be streamed from
# node -> auth -> storage service without being stored on
# disk at all.
# "proxy" : sessions will be recorded on the proxy and periodically
# cleaned up after they are uploaded to the storage service.
# "proxy-sync : session recordings will be streamed from
# proxy -> auth -> storage service without being stored on
# disk at all.
# "off" : session recording is turned off
#
session_recording: "node"
# This setting determines if a Teleport proxy performs strict host key
# checks.
# Only applicable if session_recording=proxy
proxy_checks_host_keys: yes
# Determines if sessions to cluster resources are forcefully terminated after
# no activity from a client (idle client).
# Examples: "30m", "1h" or "1h30m"
client_idle_timeout: never
# Send a custom message to the client when they are disconnected due to
# inactivity. The empty string indicates that no message will be sent.
# (Currently only supported for Server Access connections)
client_idle_timeout_message: ""
# Sets an idle timeout for the Web UI. The default is 10m.
web_idle_timeout: 10m
# Determines if the clients will be forcefully disconnected when their
# certificates expire in the middle of an active session. (default is 'no')
disconnect_expired_cert: no
# keep_alive_interval determines the interval at which Teleport will
# send keep-alive messages for client and reverse tunnel connections.
# The default is set to 5 minutes (300 seconds) to stay lower than the
# common load balancer timeout of 350 seconds.
# keep_alive_count_max is the number of missed keep-alive messages before
# the Teleport cluster tears down the connection to the client or service.
keep_alive_interval: 5m
keep_alive_count_max: 3
# Specifies the cluster wide dial timeout used for establishing SSH connections
# via tsh ssh and the Web UI. The default value of 30 seconds should suffice for
# most use cases. However, if there are multiple network hops to reach the target
# host causing dial timeout failures, this value can be increased as needed.
ssh_dial_timeout: 30s
# Determines the internal session control timeout cluster-wide. This value
# will be used with enterprise max_connections and max_sessions. It's
# unlikely that you'll need to change this.
# session_control_timeout: 2m
# Determines the routing strategy used to connect to nodes. Can be
# 'unambiguous_match' (default), or 'most_recent'.
routing_strategy: unambiguous_match
# License file to start auth server with. Note that this setting is ignored
# in the Teleport Community Edition and is required only for Teleport Enterprise.
#
# The path can be either absolute or relative to the configured `data_dir`
# and should point to the license file obtained from Teleport Download
# Portal.
#
# If not set, by default Teleport will look for the `license.pem` file in
# the configured `data_dir` .
license_file: /var/lib/teleport/license.pem
# Configures a banner message to be displayed to a user logging into the
# cluster, which must be acknowledged before the user is allowed to log in.
# Note that will be shown *before* login, so should not contain any
# confidential information.
# Defaults to the empty string, implying no message or acknowledgment is
# required.
message_of_the_day: ""
# Indicates to the clients whether the cluster is running in TLS routing
# mode with all protocols multiplexed on the proxy's web_listen_addr.
#
# Possible values are:
#
# "multiplex": clients will be connecting to Teleport proxy's web listener
# in TLS routing mode.
# "separate": clients will be connecting to Teleport proxy's individual
# listeners: tunnel_listen_addr, mysql_listen_addr, etc.
#
# See "TLS Routing" in Architecture section for additional information.
proxy_listener_mode: multiplex
# Determines the strategy that the cluster uses for connecting clients to
# agents through the Teleport Proxy Service.
tunnel_strategy:
# Possible tunnel strategy types are:
#
# "agent_mesh": The default behavior, where agents will connect to every
# Teleport Proxy Service instance.
# "proxy_peering": Agents will connect to a subset of Proxy Service instances
# and clients will be routed between Proxy Service instances
# for end-to-end connectivity.
type: proxy_peering
# The number of reverse tunnel connections agents will attempt to create.
# This field is only available when using the "proxy_peering" tunnel
# strategy type. For high availability we recommend setting this value to
# 2 or more.
agent_connection_count: 1
# Tells tsh to load the CAs of all clusters when trying to ssh into a Teleport Node,
# instead of just the CA for the current cluster. This may be useful for
# users that want to log in to a root cluster and then "tsh ssh" into a node
# in a leaf cluster. Defaults to false.
load_all_cas: false
# Enables case-insensitivity for ssh dial requests. Setting this to true will allow
# 'tsh ssh myserver' to route to host 'MyServer'. Dialing with an uppercase hostname
# will still require an exact match. Openssh always lowercases hostnames, so setting
# this to true is necessary if you want to use openssh to access nodes with uppercase
# characters in their hostnames.
case_insensitive_routing: false
# AccessMonitoring is a set of options related to the Access Monitoring feature.
access_monitoring:
# Turn on Access Monitoring. Default is 'no'.
enabled: yes
# AWS role ARN that Teleport will assume to execute Athena SQL queries.
# The Teleport role should be configured with a trust relationship and should be able to assume this role.
role_arn: arn:aws:iam::123456789012:role/AccessMonitoringRole
# S3 bucket where Access Monitoring reports will be stored.
report_results: s3://audit-long-term/report_results
# (Optional) Athena workgroup used by access monitoring queries (if not set, the default primary workgroup will be used).
workgroup: access_monitoring_workgroup
Further reading:
- Storage Backends reference: instructions on configuring DynamoDB, S3, etcd, and other highly available backends.
- Passwordless: More
information about the
passwordless
authentication option. - Headless
WebAuthn: The
headless
authentication option. - Single Sign-On: Configuring SSO so you can configure Teleport to use a specific SSO authentication connector.
- Locking: Configuring the
locking_mode
option. - Device Trust: Configuring
the
device_trust
section. - Recording Proxy Mode: If you configure
Recording Proxy Mode, consider enabling
proxy_checks_host_keys
.
SSH Service
These settings apply to the Teleport SSH Service:
ssh_service:
# Turns 'ssh' role on. Default is 'yes'
enabled: yes
# IP and the port for SSH service to bind to.
listen_addr: 0.0.0.0:3022
# The optional public address the SSH service. This is useful if
# administrators want to allow users to connect to nodes directly,
# bypassing a Teleport proxy.
public_addr: node.example.com:3022
labels:
role: leader
type: postgres
# List of the commands to periodically execute. Their output will be used
# as node labels.
commands:
# this command will add a label 'arch=x86_64' to a node
- name: arch
command: ['/bin/uname', '-p']
period: 1h0m0s
# Enables reading ~/.tsh/environment on the server before creating a session.
# Disabled by default. Can be enabled here or via the `--permit-user-env` flag.
permit_user_env: false
# Disables automatic creation of host users on this SSH node.
# Set to false by default.
disable_create_host_user: true
# Enhanced Session Recording
enhanced_recording:
# Enable or disable enhanced auditing for this node. Default value:
# false.
enabled: false
# command_buffer_size is optional with a default value of 8 pages.
command_buffer_size: 8
# disk_buffer_size is optional with default value of 128 pages.
disk_buffer_size: 128
# network_buffer_size is optional with default value of 8 pages.
network_buffer_size: 8
# Controls where cgroupv2 hierarchy is mounted. Default value:
# /cgroup2.
cgroup_path: /cgroup2
# Optional: Controls the path inside cgroupv2 hierarchy where Teleport
# cgroups will be placed. Default value: /teleport
root_path: /teleport
# Configures the PAM integration.
pam:
# "no" by default
enabled: yes
# use /etc/pam.d/sshd configuration (the default)
service_name: "sshd"
# use the "auth" modules in the PAM config
# "false" by default
use_pam_auth: true
# Enables/disables TCP forwarding. Default is 'true'
port_forwarding: true
# When x11.enabled is set to yes, users with the "permit_x11_forwarding"
# role option will be able to request X11 forwarding sessions with
# "tsh ssh -X".
#
# X11 forwarding will only work if the server has the "xauth" binary
# installed and the Teleport Node can open Unix sockets.
# e.g. "$TEMP/.X11-unix/X[display_number]."
x11:
# no by default
enabled: yes
# display_offset can be used to specify the start of the range of X11
# displays the server will use when granting X11 forwarding sessions
# 10 by default
display_offset: 10
# max_display can be set to specify the end of the range of X11 displays
# to use when granting X11 forwarding sessions
# display_offset + 1000 by default
max_display: 1010
# Enables/disables remote file operations via SCP/SFTP for this Node. Default
# value: true
ssh_file_copy: true
Further reading:
- Enhanced Session
Recording:
Configuring
enhanced_recording
. - PAM Integration:
Configuring the
pam
section.
Kubernetes Service
These settings apply to the Teleport Kubernetes Service:
kubernetes_service:
enabled: "yes"
# Optional Public & Listen Addr: Set these if you are connecting to
# Teleport running inside a Kubernetes cluster instead of using a
# reverse tunnel.
#
# Optional Public Addr
public_addr: [k8s.example.com:3026]
# Optional Listen Addr
listen_addr: 0.0.0.0:3026
# Optional kubeconfig_file and kube_cluster_name. Exactly one of these must
# be set.
#
# When running teleport outside of the Kubernetes cluster, use
# kubeconfig_file to provide teleport with cluster credentials.
#
# When running teleport inside of the Kubernetes cluster pod, use
# kube_cluster_name to provide a user-visible name. Teleport uses the pod
# service account credentials to authenticate to its local kubernetes API.
kubeconfig_file: /secrets/kubeconfig
kube_cluster_name:
# Matchers for dynamic kubernetes cluster resources created with "tctl create" command or by Kubernetes auto-discovery.
# When resources were created by 'discovery_service', ' kubernetes_service' must have the required permissions.
resources:
- labels:
"*": "*"
# Optional AWS role that the Teleport Kubernetes Service will assume to access
# EKS clusters.
aws:
assume_role_arn: "arn:aws:iam::123456789012:role/example-role-name"
external_id: "example-external-id"
# Optional labels: These can be used in combination with RBAC rules
# to limit access to applications.
# When using kubeconfig_file above, these labels apply to all kubernetes
# clusters specified in the kubeconfig.
labels:
env: "prod"
# Optional Dynamic Labels
commands:
- name: "os"
command: ["/usr/bin/uname"]
period: "5s"
# Get cluster name on GKE.
- name: cluster-name
command:
- 'curl'
- 'http://metadata.google.internal/computeMetadata/v1/instance/attributes/cluster-name'
- '-H'
- 'Metadata-Flavor: Google'
period: 1m0s
Application Service
These settings apply to the Teleport Application Service:
app_service:
# Turns 'app' role on. Default is 'no'
enabled: yes
# Teleport contains a small debug app that can be used to make sure the
# Application Service is working correctly. The app outputs JWTs so it can
# be useful when extending your application.
debug_app: true
# Matchers for dynamic application resources
#
# All application resources have a predefined "teleport.dev/origin" label with
# one of the following values:
# "dynamic": application resources created via an Auth Service API
# client like `tctl` or the Teleport Terraform provider
# "config": application resources defined in the "apps" array below
resources:
- labels:
"*": "*"
apps:
- name: "kubernetes-dashboard"
# Optional: For access to cloud provider APIs, specify the cloud
# provider. Allowed values are "AWS", "Azure", and "GCP".
cloud: ""
# Optional: Free-form description of the application.
description: "Kubernetes Dashboard to development cluster"
# URI of Application. For TCP applications
# use tcp, ex: tcp://localhost:5432.
uri: "http://10.0.1.27:8000"
# Optionally skip TLS verification. default false
# insecure_skip_verify: true
# Optional Public Addr
public_addr: "example.com"
# Optional Label: These can be used in combination with RBAC rules
# to limit access to applications
labels:
env: "prod"
# # Optional list of Teleport application names that require a session for this app to function correctly.
# # When launching this app, any app listed here will also be launched, and a session will be created.
# # These sessions follow their respective RBAC policies.
# required_apps:
# - "my-api"
# - "prod-database"
# # Add more required app names as needed
# # Optional CORS policy is used for preflight requests only. It does not overwrite the contained
# # app's CORS policy per route but is used by Teleport to respond to unauthenticated OPTION requests.
# # Important Notes:
# # - Each field in the CORS spec is optional.
# # - The allowed_headers field accepts wildcard entries. However, in requests with "allow_credentials: true",
# # a wildcard is treated as the literal header name "*" without special semantics.
# # - The Authorization header can't be set with a wildcard and always needs to be listed explicitly.
# cors:
# # Specifies which origins are allowed to make cross-origin requests.
# allowed_origins:
# - "https://example.com"
# - "https://app.example.com"
# # HTTP methods that are allowed when accessing the resource.
# allowed_methods:
# - "GET"
# - "POST"
# - "PUT"
# - "DELETE"
# - "OPTIONS"
# # HTTP headers that can be used during the actual request.
# allowed_headers:
# - "Content-Type"
# - "Authorization"
# - "X-Custom-Header"
# # Headers that browsers are allowed to access.
# exposed_headers:
# - "Content-Type"
# - "X-Custom-Response-Header"
# # Indicates whether the request can include credentials.
# allow_credentials: true
# # Indicates how long (in seconds) the results of a preflight request can be cached.
# max_age: 3600
# Optional Dynamic Labels
commands:
- name: "os"
command: ["/usr/bin/uname"]
period: "5s"
## Optional list of rewrite rules to apply to requests and responses
# rewrite:
## Optional simple rewriting of Location header
## Rewrite the "Location" header on redirect responses replacing the
## host with the public address of this application.
# redirect:
# - "localhost"
# - "jenkins.internal.dev"
## Optional list of extra headers to inject in to requests.
# headers:
# For example:
# - "Host: jenkins.example.com"
## Optional rewrite to remove parts of the JWT token.
## Can be one of three options:
## - roles-and-traits: include both roles and traits in the JWT token
## - roles: include only roles in the JWT token
## - traits: include only traits in the JWT token
## - none: include neither roles nor traits in the JWT token
## Default: roles-and-traits
# jwt_claims: roles-and-traits
Database Service
These settings apply to the Teleport Database Service:
db_service:
# Enables the Database Service.
enabled: "yes"
# Matchers for database resources created with "tctl create" command or by the
# discovery service.
resources:
- labels:
"*": "*"
# Optional AWS role that the Database Service will assume to access the
# databases.
aws:
assume_role_arn: "arn:aws:iam::123456789012:role/example-role-name"
external_id: "example-external-id"
# Matchers for registering AWS-hosted databases.
aws:
# Database types. Valid options are:
# 'rds' - discovers and registers Amazon RDS and Aurora databases.
# 'rdsproxy' - discovers and registers Amazon RDS Proxy databases.
# 'redshift' - discovers and registers Amazon Redshift databases.
# 'redshift-serverless' - discovers and registers Amazon Redshift Serverless databases.
# 'elasticache' - discovers and registers Amazon ElastiCache Redis databases.
# 'memorydb' - discovers and registers Amazon MemoryDB Redis databases.
# 'opensearch' - discovers and registers Amazon OpenSearch databases.
# 'docdb' - discovers and registers Amazon DocumentDB databases.
- types: ["rds", "rdsproxy","redshift", "redshift-serverless", "elasticache", "memorydb", "opensearch"]
# AWS regions to register databases from.
regions: ["us-west-1", "us-east-2"]
# Optional AWS role that the Database Service will assume to discover
# and register AWS-hosted databases.
# Discovered databases are also accessed by the Database Service via
# this role.
assume_role_arn: "arn:aws:iam::123456789012:role/example-role-name"
# Optional AWS external ID that the Database Service will use to assume
# a role in an external AWS account.
external_id: "example-external-id"
# AWS resource tags to match when registering databases.
tags:
"*": "*"
# Matchers for registering Azure-hosted databases.
azure:
# Database types. Valid options are:
# 'mysql' - discovers and registers Azure MySQL databases.
# 'postgres' - discovers and registers Azure PostgreSQL databases.
# 'redis' - discovers and registers Azure Cache for Redis databases.
# 'sqlserver' - discovers and registers Azure SQL Server databases.
- types: ["mysql", "postgres", "redis", "sqlserver"]
# Azure regions to register databases from. Valid options are:
# '*' - discovers databases in all regions (default).
# Any valid Azure region name. List all valid regions using the Azure "az" cli: `az account list-locations -o table`
regions: ["eastus", "westus"]
# Azure subscription IDs to register databases from. Valid options are:
# '*' - discovers databases in all subscriptions (default).
subscriptions: ["11111111-2222-3333-4444-555555555555"]
# Azure resource groups to register databases from. Valid options are:
# '*' - discovers databases in all resource groups within configured subscription(s) (default).
resource_groups: ["group1", "group2"]
# Azure resource tags to match when registering databases.
tags:
"*": "*"
# Lists statically registered databases proxied by this agent.
databases:
# Name of the database proxy instance, used to reference in CLI.
- name: "prod"
# Free-form description of the database proxy instance.
description: "Production database"
# Database protocol. Valid options are:
# "cassandra"
# "clickhouse"
# "clickhouse-http"
# "cockroachdb"
# "dynamodb"
# "elasticsearch"
# "mongodb"
# "mysql"
# "oracle"
# "postgres"
# "redis"
# "snowflake"
# "spanner"
# "sqlserver"
protocol: "postgres"
# Database connection endpoint. Must be reachable from Database Service.
uri: "postgres.example.com:5432"
# Optional TLS configuration.
tls:
# TLS verification mode. Valid options are:
# 'verify-full' - performs full certificate validation (default).
# 'verify-ca' - the same as `verify-full`, but skips the server name validation.
# 'insecure' - accepts any certificate provided by database (not recommended).
mode: verify-full
# Optional database DNS server name. It allows to override the DNS name on
# a client certificate when connecting to a database.
# Use only with 'verify-full' mode.
server_name: db.example.com
# Optional path to the CA used to validate the database certificate.
ca_cert_file: /path/to/pem
# Optional configuration that allows Teleport to trust certificate
# authorities available on the host system. If not set (by default),
# Teleport only trusts self-signed databases with TLS certificates signed
# by Teleport's Database Server CA or the ca_cert_file specified in this
# TLS setting. For cloud-hosted databases, Teleport downloads the
# corresponding required CAs for validation.
trust_system_cert_pool: false
# MySQL only options.
mysql:
# The default MySQL server version reported by Teleport Proxy.
# When this option is set the Database Agent doesn't try to check the MySQL server version.
server_version: 8.0.28
# Optional admin user configuration for Automatic User Provisioning.
admin_user:
# Name of the admin user.
name: "teleport-admin"
# Optional default database the admin user logs into. See individual
# guides for default value.
default_database: "teleport"
# Optional AWS configuration for AWS hosted databases. AWS region- and
# service-specific configurations can usually be auto-detected from the
# endpoint.
aws:
# Region the database is deployed in.
region: "us-east-1"
# Optional AWS role that the Database Service will assume to access
# this database.
assume_role_arn: "arn:aws:iam::123456789012:role/example-role-name"
# Optional AWS external ID that the Database Service will use to assume
# a role in an external AWS account.
external_id: "example-external-id"
# Redshift-specific configuration.
redshift:
# Redshift cluster identifier.
cluster_id: "redshift-cluster-1"
# RDS-specific configuration.
rds:
# RDS instance identifier.
instance_id: "rds-instance-1"
# RDS Aurora cluster identifier.
cluster_id: "aurora-cluster-1"
# ElastiCache-specific configuration.
elasticache:
# ElastiCache replication group identifier.
replication_group_id: "elasticache-replication-group-1"
# MemoryDB-specific configuration.
memorydb:
# MemoryDB cluster name.
cluster_name: "memorydb-cluster-1"
# Optional AWS Secrets Manager configuration for managing ElastiCache
# or MemoryDB users.
#
# IMPORTANT: please make sure databases sharing the same Teleport-managed
# users have the same secret_store configuration. The configuration
# should also be consistent across all Database Services in High
# Availability (HA) mode.
secret_store:
# Prefix to all secrets created by the service. Defaults to 'teleport/'.
key_prefix: "teleport/"
# KMS Key ID used for secret encryption and description. If not
# specified, Secrets Manager uses AWS managed key 'aws/secretsmanager'
# by default.
kms_key_id: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
# Optional session tags used when assuming IAM roles for DynamoDB access.
session_tags:
dynamodb_table_name: "table-a"
# GCP specific configuration for Cloud SQL and Spanner databases.
gcp:
# GCP project ID.
project_id: "xxx-1234"
# Cloud SQL instance ID.
instance_id: "example"
# Settings specific to Active Directory authentication e.g. for SQL Server.
ad:
# Path to Kerberos keytab file.
keytab_file: /path/to/keytab
# Active Directory domain name.
domain: EXAMPLE.COM
# Service Principal Name to obtain Kerberos tickets for.
spn: MSSQLSvc/ec2amaz-4kn05du.dbadir.teleportdemo.net:1433
# Optional path to Kerberos configuration file. Defaults to /etc/krb5.conf.
krb5_file: /etc/krb5.conf
# Optional configuration for Azure hosted databases.
azure:
# Set is_flexi_server to true when using an Azure flexible server.
is_flexi_server: false
# Resource ID for the database in Azure. This field is required for Azure Cache for Redis databases.
resource_id: "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/example-group/providers/Microsoft.Cache/Redis/example-db-name"
# Static labels to assign to the database. Used in RBAC.
static_labels:
env: "prod"
# Dynamic labels ("commands"). Used in RBAC.
dynamic_labels:
- name: "hostname"
command: ["hostname"]
period: 1m0s
Discovery Service
These settings apply to the Teleport Discovery Service:
discovery_service:
enabled: "yes"
# discovery_group is used to group discovered resources into different
# sets. This is required when you have multiple Teleport Discovery services
# running. It prevents discovered services from colliding in Teleport when
# managing discovered resources.
# If two Discovery Services match the same resources, they must be in the
# same discovery group.
# If two Discovery Services match different resources, they must be in
# different discovery groups.
discovery_group: "disc-group"
# poll_interval is the cadence at which the discovery server will run each of its
# discovery cycles. The default is 5m.
poll_interval: 5m
# Matchers for discovering AWS-hosted resources.
aws:
# AWS resource types to discover and register with your Teleport cluster.
# Valid options are:
# 'ec2' - Amazon EC2 instances.
# 'eks' - Amazon EKS clusters.
# 'rds' - Amazon RDS and Aurora databases.
# 'rdsproxy' - Amazon RDS Proxy databases.
# 'redshift' - Amazon Redshift databases.
# 'redshift-serverless' - Amazon Redshift Serverless databases.
# 'elasticache' - Amazon ElastiCache Redis databases.
# 'memorydb' - Amazon MemoryDB Redis databases.
# 'opensearch' - Amazon OpenSearch Redis databases.
- types: ["ec2"]
# AWS regions to search for resources from
regions: ["us-east-1","us-west-1"]
# Optional AWS resource tags to match when registering resources
# Defaults to a wildcard selector that matches any resource: "*":"*"
tags:
"*": "*"
# Optional AWS role that the Discovery Service will assume to discover
# and register AWS-hosted databases and EKS clusters.
assume_role_arn: "arn:aws:iam::123456789012:role/example-role-name"
# Optional AWS external ID that the Discovery Service will use to assume
# a role in an external AWS account.
external_id: "example-external-id"
# Optional section: install is used to provide parameters to the AWS SSM document.
# If the install section isn't provided, the below defaults are used.
# Only applicable for EC2 discovery.
install:
join_params:
# token_name is the name of the Teleport invite token to use.
# Optional, defaults to: "aws-discovery-iam-token".
token_name: "aws-discovery-iam-token"
# script_name is the name of the Teleport install script to use.
# Optional, defaults to: "default-installer".
script_name: "default-installer"
# Optional section: ssm is used to configure which AWS SSM document to use
# If the ssm section isnt provided the below defaults are used.
ssm:
# document_name is the name of the SSM document that should be
# executed when installing teleport on matching nodes
# Optional, defaults to: "TeleportDiscoveryInstaller".
document_name: "TeleportDiscoveryInstaller"
# Optional role for which the Discovery Service should create the EKS access entry.
# If not set, the Discovery Service will attempt to create the access
# entry using its own identity.
# If used, the role must match the role configured for a Teleport Kubernetes Service.
setup_access_for_arn: arn:aws:iam::123456789012:role/kube-service-role
# Matchers for discovering Azure-hosted resources.
azure:
# Azure resource types. Valid options are:
# 'aks' - discovers and registers Azure AKS Kubernetes Clusters.
# 'vm' - discovers and registers Azure virtual machines.
# 'mysql' - discovers and registers Azure MySQL databases.
# 'postgres' - discovers and registers Azure PostgreSQL databases.
# 'redis' - discovers and registers Azure Cache for Redis databases.
# 'sqlserver' - discovers and registers Azure SQL Server databases.
- types: ["aks"]
# Azure regions to search for resources from. Valid options are:
# '*' - discovers resources in all regions (default).
# Any valid Azure region name. List all valid regions using the Azure "az" cli: `az account list-locations -o table`
regions: ["eastus", "westus"]
# Azure subscription IDs to search resources from. Valid options are:
# '*' - discovers resources in all subscriptions (default).
# Any subscription_id: `az account subscription list -o table`
subscriptions: ["11111111-2222-3333-4444-555555555555"]
# Azure resource groups to search resources from. Valid options are:
# '*' - discovers resources in all resource groups within configured subscription(s) (default).
# Any resource_groups: `az group list -o table`
resource_groups: ["group1", "group2"]
# Azure resource tag filters used to match resources.
tags:
"*": "*"
# Matchers for discovering GCP-hosted resources.
gcp:
# GCP resource types. Valid options are:
# 'gke' - discovers and registers GKE Kubernetes clusters.
# 'gce' - discovers and registers GCP compute instances.
- types: ["gce"]
# IDs of GCP projects to search for resources from.
project_ids: ["project-id"]
# GCP locations to search for resources from. Valid options are:
# '*' - discovers resources in all locations.
# Any valid GCP region (e.g. "us-west1").
# Any valid GCP zone (e.g. "us-west1-b").
locations: ["us-east2", "us-west1-b"]
# Email addresses of service accounts that instances can join with.
# If empty, any service account is allowed.
service_accounts: []
# GCP resource label filters used to match resources.
labels:
"*": "*"
# Matchers for discovering services inside Kubernetes clusters and exposing them as Teleport apps
# When the `kubernetes` value is set, the `discovery_group` parameter is mandatory and should be set to
# the name of Kubernetes cluster where the discovery service is running.
kubernetes:
# Type of services to discover. Currently, only "app" is supported. Default value is `["app"]`
- types: ["app"]
# List of namespaces of the Kubernetes cluster to search in. Default value is `*` to search all namespaces.
namespaces: ["test", "staging"]
# List of Kubernetes labels to match when the Discovery service queries Kubernetes cluster services.
# Default value is `*`: `*` to match any labels.
labels:
"purpose": "monitoring"
"department": "security"
Windows Desktop Service
These settings apply to the Windows Desktop Service:
windows_desktop_service:
enabled: yes
# This is the address that windows_desktop_service will listen on.
listen_addr: "0.0.0.0:3028"
# (optional) This is the address that windows_desktop_service will advertise
# to the rest of Teleport for incoming connections. Only proxy_service should
# connect to windows_desktop_service, users connect to the proxy's web UI
# instead.
public_addr: "desktop-access.example.com:3028"
# (optional) Determines whether desktop sessions will show a user-selected wallpaper
# vs a system-default, single-color wallpaper. For improved visual performance,
# set this to false (its default value).
show_desktop_wallpaper: false
# (optional) ldap contains configuration keys used when connecting Teleport
# to an Active Directory domain. This enables the discovery service for
# Windows desktops belonging to an Active Directory domain configured for
# Teleport access.
ldap:
# Address of the LDAP server for secure LDAP connections.
# Usually, this address will use port 636, like: ldap.example.com:636.
# For best results, this address should point to a highly-available
# endpoint rather than a single domain controller.
addr: '$LDAP_SERVER_ADDRESS'
# Optional: the server name to use when validating the LDAP server's
# certificate. Useful in cases where addr is an IP but the server
# presents a cert with some other hostname.
server_name: '$LDAP_SERVER_NAME'
# You can skip LDAPS certificate verification by setting
# this to true. It is recommended that this be set to false
# and the certificate added your system's trusted repository,
# or provided as a PEM encoded certificate using ldap_ca_cert variable.
# You can provide a filepath with der_ca_file, but this behavior is deprecated.
insecure_skip_verify: false
# PEM encoded LDAP CA certificate.
ldap_ca_cert: |
-----BEGIN CERTIFICATE-----
*certificate data*
-----END CERTIFICATE-----
# DER encoded LDAP CA certificate.
# deprecated: prefer ldap_ca_cert instead
der_ca_file: /path/to/cert
# Active Directory domain name you are connecting to.
domain: '$LDAP_DOMAIN_NAME'
# LDAP username for authentication. This username must include the domain
# NetBIOS name. The use of single quotes here is intentional in order to
# avoid the need to escape the backslash (\) character.
#
# For example, if your domain is "example.com", the NetBIOS name for it is
# likely "EXAMPLE". When connecting as the "svc-teleport" user, you should
# use the format: "EXAMPLE\svc-teleport".
username: '$LDAP_USERNAME'
# The security identifier of the service account specified by the username
# field above. This looks like a string starting with "S-".
#
# Any AD user with permission to read user objects can obtain this value
# by opening a PowerShell and running
# ```
# Get-AdUser -Identity $LDAP_USERNAME | Select SID
# ```
#
# The value can be obtained over LDAP by constructing a query with the
# filter = (&(objectCategory=person)(objectClass=user)(sAMAccountName=$LDAP_USERNAME))
# and requesting the attribute = objectSid
sid: '$LDAP_USER_SID'
# (optional) When AD support is used, this field allows you to override
# the domain that Teleport uses for PKI operations. If empty, the domain
# from the ldap section is used. This can be useful for cases where PKI
# is configured in a root domain but Teleport is used to provide access
# to users and computers in a child domain.
pki_domain: root.example.com
# (optional) Configures the address of the Kerberos Key Distribution Center,
# which is used to support RDP Network Level Authentication (NLA).
# If empty, the LDAP address will be used instead.
#
# example: kdc.example.com:88.
# The port is optional and defaults to port 88 if unspecified.
#
# Note: NLA is only supported in Active Directory environments - this field has
# no effect when connecting to desktops as local Windows users.
kdc_address: '$KDC_SERVER_ADDRESS'
# (optional) static_hosts is a list of hosts to register as WindowsDesktop
# objects in Teleport. You can define host name and labels directly.
static_hosts:
- name: example1
ad: false
addr: win1.dev.example.com
labels:
datacenter: dc1
- ad: true
addr: win2.dev.example.com # name will be generated based on address
labels:
controller: all
# (optional) settings for enabling automatic desktop discovery via LDAP
discovery:
# The wildcard '*' character tells Teleport to discover all the hosts in
# the Active Directory Domain. To refine the search, specify a custom DN.
# To disable automatic discovery, leave this field blank.
base_dn: '*'
# (optional) LDAP filters for further customizing the LDAP search.
# See https://ldap.com/ldap-filters for details on LDAP filter syntax.
filters:
- '(location=Oakland)'
- '(!(primaryGroupID=516))' # exclude domain controllers
# (optional) LDAP attributes to convert into Teleport labels.
# The key of the label will be "ldap/" + the value of the attribute.
label_attributes:
- location
# (optional) configure a set of label selectors for dynamic registration.
# If specified, this service will monitor the cluster for dynamic_windows_desktop
# and automatically proxy connections for desktops with matching labels.
resources:
- labels:
"env": "dev"
# (optional) rules for applying labels to Windows hosts based on regular expressions
# matched against the host name. If multiple rules match, the desktop will
# get the union of all matching labels.
host_labels:
- match: '^.*\.dev\.example\.com'
labels:
environment: dev
- match: '^.*\.prod\.example\.com'
labels:
environment: prod
- match: '^EC2AMAZ-'
labels:
environment: discovered-in-aws
# Labels to attach to the Windows Desktop Service. This is used internally, so
# any custom labels added won't affect the Windows hosts.
labels:
teleport.internal/resource-id: "resource-id"
Jamf Service
These settings apply to the Jamf Service:
# This section configures the Jamf service.
jamf_service:
# Enables the Jamf service. Default is 'no'
enabled: yes
# Name of the sync source corresponding to the service.
# Jamf service sources with the same name manage the same devices, which is
# particularly relevant during device removal.
# If you have multiple Jamf sources, make sure to give them distinct,
# descriptive names.
# Default is 'jamf'.
name: jamf
# API endpoint for the Jamf Pro API.
# Required.
api_endpoint: https://yourtenant.jamfcloud.com
# Username for the Jamf Pro API.
# Prefer using client_id and client_secret_file.
# If both username+password and client_id+client_secret are set the service
# will use the latter.
username: teleport
# Path to a file containing the password for the Jamf Pro API.
# It is recommended to set the permissions for the file as restrictively as
# possible.
# Prefer using client_id and client_secret_file.
# If both username+password and client_id+client_secret are set the service
# will use the latter.
password_file: /var/lib/teleport/jamf_password.txt
# Client ID for the Jamf Pro API.
# See https://developer.jamf.com/jamf-pro/docs/client-credentials.
client_id: your-client-id
# Path to a file containing the client secret for the Jamf Pro API.
# It is recommended to set the permissions for the file as restrictively as
# possible.
# See https://developer.jamf.com/jamf-pro/docs/client-credentials.
client_secret_file: /var/lib/teleport/jamf_client_secret.txt
# Delay for initial syncs.
# Set to zero for syncs to start after a short random delay (a couple minutes
# max).
# Set to -1 for immediate syncs on startup.
# Default is '0'.
sync_delay: 0
# If `true` the Teleport process runs all Jamf syncs immediately and exits as
# soon as they are done. Implies `sync_delay=-1`.
# Useful for cron-like executions of Jamf syncs.
# Default is `false`.
exit_on_sync: false
# Inventory sync entries.
# Each entry corresponds to its own sync schedule and may have different
# filters and intervals.
# If the inventory section is absent a preset sync configuration is used.
inventory:
# Sync period for partial syncs.
# A partial sync attempts to fetch new and modified devices, but won't scan
# the entire Jamf inventory.
# Set to zero or -1 to disable partial syncs.
- sync_period_partial: 6h
# Sync period for full syncs.
# A full sync scans the entire Jamf inventory, processing new/modified
# devices and removals from Jamf.
# Set to zero or -1 to disable partial syncs.
sync_period_full: 24h
# Action to take against devices missing from Jamf but present in Teleport.
# Valid options are:
# 'DELETE' - devices removed from Jamf are removed from Teleport.
# (Requires a full sync.)
# 'NOOP' - devices removed from Jamf are left in Teleport.
# Default is 'NOOP'.
on_missing: NOOP
# Device filters forwarded to the Jamf Pro API queries.
# Refer to https://developer.jamf.com/jamf-pro/reference/get_v1-computers-inventory
# for the possible filter values.
# Default is ''
filter_rsql: ''
# Custom page size for inventory queries.
# Useful if Jamf reads are failing due to the page length, but otherwise
# better left alone.
# If absent, zeroed or negative a server default is used.
page_size: 0
Debug Service
These settings apply to the Debug Service
# These settings apply to the Debug service:
debug_service:
enabled: true
Configuration versions
In order to avoid breaking existing configurations, Teleport's configuration is
versioned. The newer configuration version is v3
. If a version
is not
specified in the configuration file, v1
is assumed.
Some new Teleport features require users to opt-in by explicitly upgrading their configuration to a newer version.
Config v1
v1
is the original version of Teleport's file configuration. It is still supported
today, but most new users should start with the latest configuration version.
Config v2
Configuration version v2
was introduced in Teleport 8 as part of Teleport's
TLS routing feature. With TLS routing, Teleport's proxy listens on a single port
and uses ALPN and SNI to route incoming traffic to the correct Teleport service
rather than listening on multiple protocol-specific ports.
For backwards compatibility, configuration version v1
always listens on these
protocol-specific ports. When Teleport is using configuration version v2
, the
individual protocol-specific ports are not opened unless explicitly set.
Config v3
Configuration version v3
was introduced with Teleport 11. In version 3, the
auth_servers
field is no longer supported, and agents must specify one of
auth_server
or proxy_server
to indicate which endpoint to use for joining a
Teleport cluster.
Previous versions of Teleport allowed for auth_servers
to point to Auth
Servers or Proxy Servers. As a result, Teleport would try to connect in multiple
different modes, resulting in confusing error messages. With config version 3,
Teleport only attempts to connect in a single mode, which is both more efficient
and easier to troubleshoot.
For example, this excerpt from a v2
config can be converted to v3
with the
following changes.
-version: v2
+version: v3
teleport:
- auth_servers: [ teleport.example.com:443 ]
+ proxy_server: teleport.example.com:443